diff --git a/readme-vars.yml b/readme-vars.yml
index a46e72080..4665007d6 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -31,6 +31,9 @@ param_usage_include_env: true
 param_env_vars:
   - {env_var: "WEBUI_PORT", env_value: "8080", desc: "for changing the port of the web UI, see below for explanation"}
   - {env_var: "TORRENTING_PORT", env_value: "6881", desc: "for changing the port of tcp/udp connection, see below for explanation"}
+opt_param_env_vars:
+  - {env_var: "WEBUI_USER", env_value: "", desc: "Set the WebUI username. If unset, defaults to 'admin'."}
+  - {env_var: "WEBUI_PASS", env_value: "", desc: "Set the WebUI password. If unset, a random password is generated on startup."}
 opt_param_usage_include_vols: true
 opt_param_volumes:
   - {vol_path: "/downloads", vol_host_path: "/path/to/downloads", desc: "Location of downloads on disk."}
@@ -99,6 +102,7 @@ init_diagram: |
   "qbittorrent:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "23.09.25:", desc: "Add optional WEBUI_USER and WEBUI_PASS environment variables."}
   - {date: "17.07.24:", desc: "Restore qbittorrent-cli as it now supports openssl 3."}
   - {date: "25.05.24:", desc: "Remove qbittorrent-cli as it still requires openssl 1.1 which is EOL."}
   - {date: "14.02.24:", desc: "Only set/override torrenting port if the optional env var is set."}
diff --git a/root/etc/s6-overlay/s6-rc.d/init-qbittorrent-config/run b/root/etc/s6-overlay/s6-rc.d/init-qbittorrent-config/run
index 25dd5efcf..3c289471b 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-qbittorrent-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-qbittorrent-config/run
@@ -4,9 +4,11 @@
 # make our folder
 mkdir -p /config/qBittorrent
 
+CONFIG_FILE="/config/qBittorrent/qBittorrent.conf"
+
 # copy default config
-if [[ ! -f /config/qBittorrent/qBittorrent.conf ]]; then
-    cp /defaults/qBittorrent.conf /config/qBittorrent/qBittorrent.conf
+if [[ ! -f "$CONFIG_FILE" ]]; then
+    cp /defaults/qBittorrent.conf "$CONFIG_FILE"
 fi
 
 if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
@@ -19,3 +21,39 @@ if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
     lsiown -R abc:abc \
         /config
 fi
+
+# function to generate PBKDF2 hash exactly like qBittorrent source code
+generate_pbkdf2_hash() {
+    echo "$1" | python3 -c "
+import os, sys, base64, hashlib
+password = sys.stdin.read().rstrip('\n').encode()
+salt = os.urandom(16)
+hash_bytes = hashlib.pbkdf2_hmac('sha512', password, salt, 100000, 64)
+salt_b64 = base64.b64encode(salt).decode()
+hash_b64 = base64.b64encode(hash_bytes).decode()
+print(f'{salt_b64}:{hash_b64}')
+"
+}
+
+# ensure [Preferences] section exists if WebUI credentials are being configured
+if [[ -n ${WEBUI_USER} ]] || [[ -n ${WEBUI_PASS} ]]; then
+    if ! grep -q "^\s*\[\s*Preferences\s*\]" "$CONFIG_FILE"; then
+        echo "" >> "$CONFIG_FILE"
+        echo "[Preferences]" >> "$CONFIG_FILE"
+    fi
+fi
+
+# configure WebUI password
+if [[ -n ${WEBUI_PASS} ]]; then
+    echo "setting WebUI password using WEBUI_PASS"
+    PBKDF2_HASH=$(generate_pbkdf2_hash "$WEBUI_PASS")
+    sed -i '/^\s*WebUI\\Password_PBKDF2\s*=/d' "$CONFIG_FILE"
+    sed -i '/^\s*\[\s*Preferences\s*\]/a WebUI\\Password_PBKDF2="@ByteArray('"$PBKDF2_HASH"')"' "$CONFIG_FILE"
+fi
+
+# configure WebUI username
+if [[ -n ${WEBUI_USER} ]]; then
+    echo "setting WebUI username using WEBUI_USER"
+    sed -i '/^\s*WebUI\\Username\s*=/d' "$CONFIG_FILE"
+    sed -i '/^\s*\[\s*Preferences\s*\]/a WebUI\\Username="'"$WEBUI_USER"'"' "$CONFIG_FILE"
+fi